Bug#1087991: python-debian: GpgInfo fails for signatures with non-utf8 NOTATION_DATA

Simon Chopin schopin at ubuntu.com
Thu Nov 21 14:44:31 GMT 2024 

Source: python-debian
Version: 0.1.49ubuntu3
Severity: normal
X-Debbugs-Cc: schopin at ubuntu.com, jak at debian.org


Hi there,

When trying to verify the attached DSC, it made python-debian crash with
a decoding error. The DSC is completely valid, but the DD who signed it
was using Sequoia rather than GnuPG at the time, and for some reason the
NOTATION_DATA section of the signature contains binary data.

While not particularly friendly, it's allowed by the spec.

You can reproduce very easily:

```python
from debian.deb822 import GpgInfo
GpgInfo.from_file("autopkgtest_5.38ubuntu1.dsc")
```

That should yield the following exception:

Traceback (most recent call last):
  File "<input>", line 1, in <module>
    GpgInfo.from_file("autopkgtest_5.38ubuntu1.dsc")
  File "/usr/lib/python3/dist-packages/debian/deb822.py", line 1404, in from_fil
e
    return cls.from_sequence(target_file, *args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/debian/deb822.py", line 1374, in from_seq
uence
    return cls.from_output(out.decode('utf-8'),
                           ^^^^^^^^^^^^^^^^^^^
UnicodeDecodeError: 'utf-8' codec can't decode byte 0xeb in position 374: invali
d continuation byte

Note that `dscverify` has no qualm with the signature.

`gpgv --status-fd 1` gives us the following raw data:

Cheers,
Simon

-- System Information:
Debian Release: trixie/sid
  APT prefers plucky
  APT policy: (500, 'plucky')
Architecture: amd64 (x86_64)

Kernel: Linux 6.11.0-9-generic (SMP w/12 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
-------------- next part --------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 3.0 (native)
Source: autopkgtest
Binary: autopkgtest
Architecture: all
Version: 5.38ubuntu1
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Uploaders:  Ian Jackson <ijackson at chiark.greenend.org.uk>, Martin Pitt <mpitt at debian.org>, Antonio Terceiro <terceiro at debian.org>, Paul Gevers <elbrus at debian.org>, Simon McVittie <smcv at debian.org>, Paride Legovini <paride at debian.org>,
Standards-Version: 4.6.2
Vcs-Browser: https://salsa.debian.org/ci-team/autopkgtest
Vcs-Git: https://salsa.debian.org/ci-team/autopkgtest.git
Testsuite: autopkgtest
Testsuite-Triggers: adduser, autodep8, build-essential, buildah, ca-certificates, catatonit, debhelper, debian-archive-keyring, debootstrap, devscripts, distro-info, dnsmasq, dnsmasq-base, docker.io, dumb-init, fakeroot, golang-github-containernetworking-plugin-dnsname, iproute2, iptables, libpam-cgfs, lxc, lxc-templates, lxcfs, lxd, lxd-installer, mmdebstrap, podman, python3-distro-info, rsync, sbuild, schroot, slirp4netns, tini, uidmap, util-linux
Build-Depends: debhelper-compat (= 13), fakeroot <!nocheck>, procps <!nocheck>, pycodestyle | pep8 <!nocheck>, pyflakes3 <!nocheck>, python3 (>= 3.8), python3-debian <!nocheck>, python3-docutils
Package-List:
 autopkgtest deb devel optional arch=all
Checksums-Sha1:
 4c0f9acec87b6c6e9d43cdf486d62a3ec69ec5b3 229420 autopkgtest_5.38ubuntu1.tar.xz
Checksums-Sha256:
 dbc550a9c36e11c44c2a5317d44764ec8217b4c673676e929a6750be8ffa4010 229420 autopkgtest_5.38ubuntu1.tar.xz
Files:
 eece5090a399d30148c6e7c8b64c0401 229420 autopkgtest_5.38ubuntu1.tar.xz
Original-Maintainer: Debian CI team <team+ci at tracker.debian.org>

-----BEGIN PGP SIGNATURE-----

wsC7BAEBCgBvBYJmsPmjCRDWWGGIPgFNuUcUAAAAAAAeACBzYWx0QG5vdGF0aW9u
cy5zZXF1b2lhLXBncC5vcmcaIQdWc+sT5HQhi5CZcNvDhiP/z8aJPt0OzmfG2hdf
BxYhBFYa1YXu12aSG6jdltZYYYg+AU25AAAShwf+K+OmWZa+0EnvY2xFXIzafxq4
BmzD6Sk2zWrN3pxvu4Pge0iK8Z/ixTH3nlcsuSfc1x/68XX/w1cL1ft5x86oUJaT
f5vNZnXImebgX6dQJFXbje79RMIduWUwYr4Qdyn1IVP/2pjWxWp/ajjF0E8lCpgL
hAfafblvLG4uCAUc8aaBHjrJhxQYPu/qNe99GBY6HhEa5yqJOnL/fFakeFvl69eO
AhbA4uoGOogd0xR74kr3qlSbfAk7tstLdLxqVyPh4/fy3kxfyROZQ2gwtC2taCUT
J27NqZHD5Rtsh+rbs1ixdoku4X+KXYFH3/aSh6tGz1GOJaPhkH0iwEkCZHE2eg==
=t3av
-----END PGP SIGNATURE-----

More information about the pkg-python-debian-maint mailing list